The Role of Active Directory in a Layered Security Strategy

Over time, cybercriminals have uncovered the tried-and-true attack tactics that ensure success and maximize profits. One lesson learned: by compromising Active Directory (AD), they can access an organization’s entire system and deploy devastating malware. Building a layered security strategy is the best defense against cyberattacks that target Active Directory.

Gaining access to Active Directory empowers cybercriminals to navigate from the endpoint to the intended target – encrypting systems, accessing applications, stealing credentials, stealing data or other objectives. Let’s look at how securing Active Directory factors into preventing, detecting and responding to attacks.


Preventing attacks means keeping adversaries out – or, at least, minimizing their ability to gain a foothold in the organization. The sooner you stop cybercriminals in their tracks, the better. Preventative efforts often focus on the initial attack vector – phishing, for example – so security efforts typically focus on actions such as implementing firewalls, email scanning, security awareness training and endpoint protection. 

But the prevention strategy needs to assume that an attacker might get past all those defenses. Measures you can take at this stage include:

  • Restricting logons on endpoints: The first entry point into your environment is typically with any old account within your Active Directory. These are usually normal users who can’t change anything in Active Directory and are not even logged on to their clients as local administrators. Your priority at this point is to make it hard for attackers to elevate those low-level user privileges to that of a local administrator on your endpoints. The attacker’s lateral movement between your endpoints is further complicated if the local admin account password is different on each system. The most common way an intruder elevates privileges to that of the true target – Active Directory domain admin – is by grabbing the credentials of a normal user logging on to a compromised endpoint. So you need to configure your privileged accounts to prevent such credential theft: Proper tiering of your systems should prevent any privileged Active Directory account from logging on to your normal user’s endpoints.
  • Protect critical AD objects: Once attackers have gained access to a privileged Active Directory account – quite often by retrieving such an account on a compromised endpoint via pass-the-hash or pass-the-ticket attacks – they don’t stop. The next goal is to persist, which requires changing existing objects in Active Directory. The adversary’s obvious choice is to go after known objects like the default administrator account or the domain admins group. But other objects can be equally valuable to an attacker, including group policy objects. Identifying and protecting a specific set of objects you deem critical that cannot be modified through native tools is an effective way to prevent the part of an attack that involves Active Directory.
  • Back up AD: While backing up Active Directory doesn’t prevent an initial attack, 68% of organizations that have experienced a ransomware attack see a second intrusion attempt. Therefore, you need to have a known-secure Active Directory backup lying in wait should an initial attack be successful.


You need to know anytime an unusual change is made to Active Directory. But detecting malicious changes can be tricky because cybercriminals often either disable auditing altogether or delete log data to cover their tracks. Some practical measures you can take:

  • Monitor AD changes: Malicious changes could include creating a user account or modifying group memberships, group policy or the schema. To detect these changes, you need visibility into changes on a given object (which native logs might not show) and the specific changes being made (e.g., within Group Policies).
  • Alerting: Although alerting is a standard IT operation, you need to convey unusual activities so that a SOC team or an automated response can quickly remediate them.


Should an unwanted change in Active Directory be made, a rapid response is crucial. Minutes can mean the difference between stopping an attacker completely and seeing ransomware deployed to every endpoint. You need visibility into the changes, context to determine whether the changes are risky and a fast response plan, which might include:

  • Rollback of AD changes: As the first step in a full response, any modifications to protected accounts must be immediately and automatically rolled back to a known-secure state, nullifying the adversary’s elevated position.
  • Recover AD: If you don’t have sufficient context and detail to formulate a decisive response, you need the ability to recover – to a known-secure state – a single object, the entire Active Directory forest with all its domain controllers and everything in between.

A layered Active Directory security approach gives organizations the most remarkable ability to thwart attack efforts

Active Directory’s prominent role in attacks demands an equal role within a layered security strategy, with measures put in place to prevent, detect and respond to attacks should actions within Active Directory occur.

Brought to You by

What’s Hot on Infosecurity Magazine?